[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD_LISTEN increase

To: "J. Tingiris" <jtingiris@bellsouth.net>, OpenLDAP software list <openldap-software@OpenLDAP.org>
Subject: Re: SLAPD_LISTEN increase
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 04 May 2005 23:35:07 -0700
Cc: matthew sporleder <msporleder@gmail.com>
Content-disposition: inline
In-reply-to: <42796883.5080808@bellsouth.net>
References: <b0459d5c05050312083adf62d6@mail.gmail.com> <C396D9086A1D0F3420B123E4@[10.0.0.1]> <42796883.5080808@bellsouth.net>

--On Wednesday, May 04, 2005 8:27 PM -0400 "J. Tingiris" <jtingiris@bellsouth.net> wrote:

This is related to the Solaris backlog/listen queue.
"Implementations may limit the length of the socket's listen queue.  If
backlog exceeds the implementation-dependent maximum queue length, the
length of the socket's listen queue will be set to the maximum supported
value."

For more information, man listen(3XNET).

It seems Sun's best practice is to set the listen() call's backlog
integer considerably higher than the (expected) system
tcp_conn_req_max_q/0 buffer lengths so that it is ultimately controlled
by the system's maximum configured value.  In a nutshell, this enables a
binary application to be tuned without constantly recompiling (by
dynamically changing the appropriate ndd values).

This is old, but still affects all versions of Solaris:

"increasing the length of the backlog queue [with ndd] will have no
effect unless you also make an adjustment involving the listen() call on
the affected port(s). That is, listening applications will need to be
rebuilt to increase the requested backlog value, so that the new
SOMAXCONN value is reflected in so_qlimit"

So it also seems apropriate to increase this value very high to also
harden slapd against SYN Floods (on Solaris).  See:

http://www.ciac.org/ciac/bulletins/h-02.shtml

Two birds, one stone.

I will note that this advisory is from 1996, so I'm not sure how much the SYN flood issue applies... Given the rather large targets painted on Stanford's servers, if it were an issue I'm fairly certain we'd have seen it before.

The ndd parameter listed has also changed names since the advisory was written. It is:

tcp_conn_req_max_q

now.

I personally tune my ndd settings already, although my tcp_conn_req_max_q is only 1024. I'm somewhat curious about the adb line, and if that has changed somewhat since then.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin

Follow-Ups:
- Re: SLAPD_LISTEN increase
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- SLAPD_LISTEN increase
  - From: matthew sporleder <msporleder@gmail.com>
- Re: SLAPD_LISTEN increase
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: SLAPD_LISTEN increase
  - From: "J. Tingiris" <jtingiris@bellsouth.net>

Prev by Date: Re: slapd dying ...
Next by Date: Re: SLAPD_LISTEN increase
Index(es):
- Chronological
- Thread